Fileless Malware: Not Just a Threat, but a Super-Threat

Exploits are getting more sophisticated by the day, and cybersecurity technology just isn't keeping up.

It's almost like something out of Star Trek. Imagine an alien who can see you, but whom you can't see — one who has violence on his/her/its mind. A punch coming from out of nowhere; a vase flung at your head with no one seemingly throwing it; a punch to the gut, then a karate chop to the neck, maybe a blast from an (also invisible) ray gun, and you're down for the count. How would you fight it? How could you fight it?

Those invisible aliens may not have landed on earth just yet, but invisible malware — called fileless malware or in-memory malware — is wreaking havoc and bringing intergalactic war-style destruction to IT systems the world over. Like an invisible alien, fileless malware can strike from multiple directions, without victims even being aware they were targeted, until it's too late. Fileless malware — in which hackers call malware routines remotely and load them into memory in order to compromise or steal data — is not new, but hackers increasingly have turned to that type of attack. According to McAfee, fileless threats with PowerShell malware grew by 119% in the third quarter of 2017 alone, and they have been such a rousing success that hackers plan to greatly expand their use this year, security experts are convinced.

But fileless malware is just one of numerous threats and attacks that are now in vogue; 2018 could see more and more challenging cyberattacks, experts believe. With cryptocurrencies so popular now, hackers have begun using botnets to create the computing power needed to mine coins. AI has helped hackers develop more effective social engineering messages, "weaponizing" big data and AI to convince hapless victims to open spear-phishing messages more frequently by matching the message with the personality of the recipient. And botnets that control infected devices, commanding them to infect even more devices — a "swarm effect" — will allow hackers to grow their networks of compromised devices and systems exponentially.

Add to all that the major security risks that come in the form of the Meltdown and Spectre exploits, which affect almost every person and organization that uses a computer, smartphone, tablet, or any other device, and you have the makings of what could be the most challenging year ever for cybersecurity. Attacks are likely to come fast and furious from all directions — and there's little doubt that these new attacks, like fileless malware, will overwhelm any existing cybersecurity protocols.

Let's take a closer look at fileless malware. How would an IT team fight it? Fileless malware actually does come in the form of a file — but it's an innocuous file that for all the world looks like a legitimate Word or Excel file. It has no malware features that antivirus systems could catalog and blacklist; it has no suspicious profile that a sandbox could analyze and ban for improper behavior. All it contains is a link that, once clicked, allows for the remote loading into memory of remote malware, enabling macros that call the malware and install it via a PowerShell script.

The macro itself contains a link that is activated when the macro is activated, meaning that the macro will pop up and ask the user to click on a link. The macro calls this link remotely only when it is loaded into memory, so there is no suspicion of a security problem when the file itself passes through the sandbox. There is nothing for it to inspect. That, in fact, is exactly what South Korean researchers discovered in December, as they examined email messages that contained documents that loaded and installed malware in this manner.

Options Are FewThere is no way the current crop of cybersecurity systems — be they antivirus systems, sandboxes, or anything else — could possibly identify those files as a malware scam. The best they can do is allow documents only from verified sources (websites, email addresses) — but even that is no sure-fire guarantee; who's to say that the sender hasn't been compromised without his knowledge?

What's left? Closing off the Internet altogether? Hand-vetting each and every file, document, link, or anything else that comes to the organization? Both those ideas, obviously, are impractical. The only solution is a system that can see "inside" these files — evaluating the file, the macro inside, and determining if it's safe to send the file through as is. Even better would be if the system could remove the offending macros, and then passing on a clean version to users, who would be able to use the file without fear.

The bottom line is that in order to pull off an exploit, hackers have to be able to deliver their wares in some form — even in a "fileless" form. If there's one thing that won't be different about this year, it's that, like last year and 10 years ago, hackers must have a hook on which to hang their exploit hats. Those exploits are getting more sophisticated by the day — and cybersecurity technology is just not keeping up. There's only one way to confront and beat invisible aliens — using X-ray specs that let the wearer see exactly what she is up against. Where are the X-ray specs that will reveal the specialized tricks hackers are successfully using nowadays? That's a question we need to answer — and soon.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Itay brings to Votiro more than 15 years of executive management experience in cybersecurity at global technology companies based in the U.S., Europe, and Asia. Prior to co-founding Votiro, he played a key role in managing the development of equipment for the lawful ... View Full Bio

Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possib...

Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system.

In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring.